FreeBSD Afterinstall

From shankerbalan.net
Jump to: navigation, search

Contents

Overview

  • Use local files (rc.conf.local, rc.local etc) for updating configuration information where possible. This makes mergemaster(8) much easier while upgrading the system.

uname(1) 

FreeBSD partvarious-lx.eglbp.corp.domain.com 8.0-CURRENT FreeBSD 8.0-CURRENT #6: Sun Oct 14 20:45:43 IST
2007     shanu@partvarious-lx.eglbp.corp.domain.com:/usr/obj/usr/home/src/sys/MYKERNEL  i386

rc.conf

  • Move rc.conf to rc.conf.local and zero out rc.conf 
cd /etc
cp rc.conf rc.conf.local
truncate -s 0 rc.conf

Update User Accounts

  • Add $USER with correct UID (match with office UNIX UID)
  • Add $USER to groups wheel and operator

Update Sendmail

  • Update sendmail.mc
  • UPdate aliases
  • Regen .cf 
> cd /etc/mail
> make install
> make restart

Update fstab(5)

  • Update fstab to include USB, NTFS, nfs/smb mounts, proc and linprocfs mounts 
linprocfs   /compat/linux/proc   linprocfs   rw   0  0
linsys      /compat/linux/sys    linsysfs    rw 0 0
proc        /proc                procfs     rw  0 0

# filer
//guest@filer/storage   /mnt/filer      smbfs   rw,noauto,-I192.168.44.3,-N,-WshanuNet 0 0
/dev/ad0s1      /mnt/windows    ntfs    ro   0   0
buffy.bangalore.corp.domain.com:/home/mp3    /mnt/mp3    nfs ro,noauto 0 0
buffy.bangalore.corp.domain.com:/home/stuff  /mnt/stuff  nfs ro,noauto 0 0

# usb
/dev/da0s1    /mnt/usb0   msdosfs rw,noauto   0 0
/dev/da1s1    /mnt/usb1   msdosfs rw,noauto   0 0

tunefs(8)

  • Tune /home for space (was speed) 
> tunefs -L home -m 5 -o space -l enable /home

= locate.updatedb(8)

  • Run the script manually for the first time 
> cd /etc/periodic/weekly/
> ./310.locate

Devices

sound(4)

  • Setup the sound device 
[partvarious-lx] ~> grep snd  /boot/loader.conf.local
snd_ich_load="YES"


CDROM

  • Enable DMA transfers on the CDROM device
  • chown /cdrom to $USER 
### rc.local ###
atacontrol mode acd0 WDMA2

> sudo atacontrol mode acd0
current mode = WDMA2

> chown shanu /cdrom

Wireless

Intel Pro Wireless 2200 BG 

iwi0: <Intel(R) PRO/Wireless 2200BG> mem 0xb0107000-0xb0107fff irq 18 at device 6.0 on pci6
  • See iwi(4).
  • Install net/iwi-firmware-kmod for the firmware and load it up as below 
### loader.conf.local
if_iwi_load="YES"
iwi_bss_load="YES" # dont think this is needed



> ifconfig iwi0
iwi0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
       inet6 fe80::215:ff:fe47:a723%iwi0 prefixlen 64 scopeid 0x2 
       inet 192.168.44.10 netmask 0xffffff00 broadcast 192.168.44.255
       ether 00:15:00:47:a7:23
       media: IEEE 802.11 Wireless Ethernet autoselect (OFDM/54Mbps)
       status: associated
       ssid XXXXX channel 6 bssid 00:14:bf:d4:85:06
       authmode OPEN privacy ON deftxkey 1 wepkey 1:40-bit txpowmax 100
       bmiss 10 protmode CTS bintval 100

Wireless-G Notebook Adapter WPC54G V3 (PCMCIA) 

ndis0: <Wireless-G Notebook Adapter WPC54G V3> mem 0x90010000-0x90011fff irq 10 at device 0.0 on cardbus1

pci bus 0x0004 cardnum 0x00 function 0x00: vendor 0x14e4 device 0x4318
 Broadcom Corporation BCM4318 [AirForce One 54g] 802.11g Wireless LAN Controller
 CardVendor 0x1737 card 0x0048 (Linksys WPC54G-EU version 3 [Wireless-G Notebook Adapter])
  STATUS    0x0000  COMMAND 0x0006
  CLASS     0x02 0x80 0x00  REVISION 0x02
  BIST      0x00  HEADER 0x00  LATENCY 0xa8  CACHE 0x00
  BASE0     0x90010000  addr 0x90010000  MEM
  MAX_LAT   0x00  MIN_GNT 0x00  INT_PIN 0x01  INT_LINE 0x0a
  BYTE_0    0x01  BYTE_1  0x00  BYTE_2  0xc2  BYTE_3  0x07


  • See ndis(4)
  • The kld is built from the following Windows NDIS drivers - BCMWL5.SYS and LSBCMNDS.inf 
[partvarious-lx] ~> ifconfig ndis0
ndis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
       ether 00:18:f8:f9:a7:9c
       inet 192.168.43.10 netmask 0xffffff00 broadcast 192.168.43.255
       media: IEEE 802.11 Wireless Ethernet autoselect (OFDM/54Mbps)
       status: associated
       ssid Beastie channel 6 (2437 Mhz 11g) bssid 00:14:bf:e7:0d:cf
       authmode OPEN privacy OFF txpowmax 100 bmiss 7 scanvalid 60
       protmode CTS roaming MANUAL

Networking

rc.conf.local 

hostname="faith.shanu.net"

# Networking
ifconfig_iwi0="wpa DHCP"
ifconfig_rl0="DHCP"
# ifconfig_rl0="DHCP ether 00:14:38:06:FD:7A"
background_dhclient_iwi0="YES"
  • The iwi(4) driver is loaded via loader.conf.local
  • The wireless settings are managed using wpa_supplicant(8)

wpa_supplicant.conf 

[faith] ~> cat /etc/wpa_supplicant.conf 
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel

network={
   ssid="shanuNet"
   scan_ssid=1
   key_mgmt=NONE
   wep_tx_keyidx=0
   wep_key0=xxxxxxxx
}

#network={
   #ssid="taps"
   #key_mgmt=WPA-PSK
   #psk="xxxxxxxxx"
#}



[faith] ~> ps axw|grep wpa
 412  ??  Ss     0:00.73 /usr/sbin/wpa_supplicant -B -q -i iwi0 -c /etc/wpa_supplicant.conf -D bsd -P /var/run/wpa_supplicant/iwi0
31929  p1  R+     0:00.00 grep wpa

loader.conf.local

The iwi driver does not seem to be fully MPFASE causing me frequent lockups. I have disabled it on -CURRENT as below 

debug.mpsafenet="0"

> uname -a
FreeBSD faith.shanu.net 7.0-CURRENT FreeBSD 7.0-CURRENT #11: Sat Dec  9 11:56:55 IST 2006     shanu@faith.shanu.net:/usr/obj/usr/src/sys/MYKERNEL i386

Sudo(8) Access 

> pkg_add -r sudo
> visudo

### sudoers ###
# Override builtin defaults
Defaults        syslog=auth,timestamp_timeout=60,!set_logname
 
# Uncomment to allow people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL
  • Add yourself to the wheel group 
> id
uid=13788(shanu) gid=13788(shanu) groups=13788(shanu), 0(wheel)

Updating src/ports

cvsup(1) 

> pkg_add -r cvsup-without-gui portinstall
> sudo cvsup -L2 /etc/supfile

supfile 

### supfile ###
*default host=cvsup6.FreeBSD.org
*default base=/var/db
*default prefix=/usr
*default release=cvs tag=.
*default delete use-rel-suffix

src-all
ports-all
  • WARNING: The above supfile will take you to -current.

buildworld/buildkernel

make.conf(5) 

### make.conf ###
CPUTYPE?=pentium4
CFLAGS= -O -pipe
COPTFLAGS= -O -pipe

PERL_VER=5.8.8
PERL_VERSION=5.8.8
WITH_GTK2=yo
WITHOUT_MOZILLA=yo
WITHOUT_DEBUG=yes
WITH_GECKO=firefox
WITH_CPUFLAGS=yes
WITH_OPTIMIZED_CFLAGS=yes
WRKDIRPREFIX=/home/mp3/tmp

Build World 

> cd /usr/src
> sudo make buildworld
> sudo make buildkernel
> sudo make installkernel
> sudo reboot
> sudo make installworld
> sudo mergemaster

Upgrade Ports 

> sudo portupgrade -a -i
  • Do a full OS upgrade using the GENERIC kernel. Once the system is stable, switch to MYKERNEL.
  • Update ports after building world to avoid dependency problems after the OS upgrade
  • See PortUpgrade for more on portupgrade(1)

Kernel

Bootstrap Configuration

loader.conf(5) 

### loader.conf.local ###

sound_load="YES"
snd_ich_load="YES"
i915_load="YES"
ichsmb_load="YES"
acpi_video_load="YES"
atapicam_load="YES"
if_bridge_load="YES"
bridgestp_load="YES"
if_tap_load="YES"
if_iwi_load="YES"
wlan_load="YES"
wlan_wep="YES"
iwi_bss_load="YES"
kqemu_load="YES"
  • kqemu, iwi etc are in ports/

MYKERNEL

Build 

> cd /sys/i386/conf/
> sudo cp GENERIC MYKERNEL 
> cd /usr/src
> sudo make buildkernel KERNCONF=MYKERNEL
> sudo make installkernel KERNCONF=MYKERNEL

Additions to MYKERNEL 

### MYKERNEL ###
cpu             I686_CPU
ident           MYKERNEL
  • Debug 
# Debugging for use in -current
options         KDB                     # Enable kernel debugger support.
options         DDB                     # Support DDB.
options         GDB                     # Support remote GDB.
#options        INVARIANTS              # Enable calls of extra sanity checking
#options        INVARIANT_SUPPORT       # Extra sanity checks of internal structures, required by INVARIANTS
#options        WITNESS                 # Enable checks to detect deadlocks and cycles
#options        WITNESS_SKIPSPIN        # Don't run witness on spinlocks for speed
  • ALTQ 
# altq(9). Enable the base part of the hooks with the ALTQ option.
# Individual disciplines must be built into the base system and can not be
# loaded as modules at this point. ALTQ requires a stable TSC so if yours is
# broken or changes with CPU throttling then you must also have the ALTQ_NOPCC
# option.
options         ALTQ
options         ALTQ_CBQ        # Class Bases Queueing
options         ALTQ_RED        # Random Early Detection
options         ALTQ_RIO        # RED In/Out
options         ALTQ_HFSC       # Hierarchical Packet Scheduler
options         ALTQ_CDNR       # Traffic conditioner
options         ALTQ_PRIQ       # Priority Queueing
options         ALTQ_NOPCC      # Required if the TSC is unusable
#options         ALTQ_DEBUG
  • Misc 
options         INCLUDE_CONFIG_FILE     # Include this file in kernel

sysctl.conf(5) 

### sysctl.conf ###
#security.bsd.see_other_uids=0
debug.cpufreq.lowest=425
vfs.usermount=1
#hw.acpi.reset_video=0
#hw.acpi.verbose=0
hw.syscons.sc_no_suspend_vtswitch=0

Filesystem

devfs(8)

devfs(8) allows device permissions to be persistant across reboots. Below are some standard entries to devfs.conf to make things work for non-root users. 

### devfs.conf ### 

# Commonly used by many ports
link    acd0    cdrom
perm    acd0    0666

# cdrecord to work as non-root
link    cd0     cdrecorder
perm    cd0     0666
perm    xpt0    0666
perm    pass0   0666
perm    tap?    0660

# Allow a user in the wheel group to query the smb0 device
#perm   smb0    0660

# Allow members of group operator to cat things to the speaker
#own    speaker root:operator
#perm   speaker 0660

[system=10]
add path 'unlpt*' mode 0660 group cups
add path 'ulpt*' mode 0660 group cups
add path 'lpt*' mode 0660 group cups

Network File Systems 

rpcbind_enable="YES"
rpc_lockd_enable="YES"
nfs_client_enable="YES"
nfs_server_enable="YES"

fstab(5) 

# Device                Mountpoint      FStype  Options         Dump    Pass#
/dev/ad0s4b             none            swap    sw              0       0
/dev/ad0s4a             /               ufs     rw              1       1
/dev/ad0s1              /mnt/win        ntfs    ro              0       0
/dev/ad0s2              /mnt/dos        msdosfs ro              0       0
/dev/ad0s4d             /usr            ufs     rw,noatime      2       2
/dev/acd0               /cdrom          cd9660  ro,noauto       0       0

# NFS
buffy:/home/mp3        /home/mp3 nfs   rw,noauto 0 0

# LINUX_COMPAT
linproc                 /compat/linux/proc      linprocfs       rw 0 0
linsys                  /compat/linux/sys       linsysfs        rw 0 0

Compiler Settings

rc.conf.local 

WITH_CPUFLAGS=yes
WITH_OPTIMIZED_CFLAGS=yes
# /usr/local/share/doc/ccache/ccache-howto-freebsd.txt
.if (!empty(.CURDIR:M/usr/src*) || !empty(.CURDIR:M/usr/obj*)) && !defined(NOCCACHE)
CC=/usr/local/libexec/ccache/world-cc
CXX=/usr/local/libexec/ccache/world-c++
.endif
WITH_CCACHE=yes
#NOCCACHE=yes

.cshrc.local 

# /usr/local/share/doc/ccache/ccache-howto-freebsd.txt
setenv PATH /usr/local/libexec/ccache:$PATH
setenv CCACHE_PATH /usr/bin:/usr/local/bin
setenv CCACHE_DIR "/usr/.ccache"

devel/ccache 

[faith] ~> pkg_info -x ccac
Information for ccache-2.4_6:

Comment:
A tool to minimize the compile time of C/C++ programs


Description:
ccache is a compiler cache.  It acts as a caching pre-processor to C/C++
compilers, using the -E compiler switch and a hash to detect when a
compilation can be satisfied from cache.  This often results in a 5 to 10
times speedup in common compilations.

WWW: http://ccache.samba.org/ 

[faith] ~> portinstall devel/ccache

[faith] ~> ccache -s
cache directory                     /usr/.ccache
cache hit                             10
cache miss                           437
called for link                       21
compile failed                         1
not a C/C++ file                      22
autoconf compile/link                 45
no input file                         32
files in cache                       874
cache size                           7.7 Mbytes
max cache size                     976.6 Mbytes

Security And Firewall

pf(4) 

# Firewall
pf_enable="YES"
pf_rules="/etc/pf.conf.local"
pflog_enable="YES"

pf.conf.local 

# Macros
buffy="10.80.37.171"    # office box
dsl="192.168.44.1"              # ADSL Router
wifi="192.168.44.2"             # Linksys WiFi Router

table <devices> const { 192.168.44.1, 192.168.44.2 }
table <vlans> const { 192.168.45.0/24 }

set block-policy return

# normalize packets
scrub in all

# nat on iwi0 [qemu]
nat on iwi0 from <vlans> to any -> (iwi0)

# lo0 is trusted
set skip on lo0

# default block everything 
block in  log all label "block-all"
block out log all label "block-all"

# pass in ICMP
pass in proto icmp from any to any keep state label "icmp"

# allow syslog from <devices>
pass in proto udp from <devices> to any port syslog keep state label "syslog"

# office box
pass in from $buffy to any keep state label "buffy"

# pass in ssh
pass in proto tcp from any to any port ssh keep state label "ssh"

# pass in DNS traffic
pass in proto { tcp, udp } from any to any port domain keep state label "domain"

# pass in HTTP
pass in proto tcp from any to any port http  keep state label "http"
pass in proto tcp from any to any port https keep state label "https"

# pass in bittorrent
pass in proto { tcp, udp } from any to any port 6881:6999 keep state label "torrent"

# pass in Multicast DNS
pass in proto { tcp, udp } from any to 224.0.0.251 port mdns keep state label "mdns"

# pass in 1900 from the DSL router
pass in proto udp from $dsl to any port 1900 keep state label "dsl-bcast"

# pass in UPnP
pass in proto { tcp, udp } from any to any port 5000 keep state label "uPnP"

# pass in iTunes
pass in proto tcp from any to any port 3689 keep state label "iTunes"

# trust 192.168.45.0/24: Thats our qemu subnet
pass in on tap0 from <vlans> to any keep state label "vlans"

# allow outbound
pass out from any to any keep state
pass out from any to any keep state

hosts_access(5) 

### hosts.allow ###
ALL: LOCAL : allow
ALL: 127.0.0.0/255.255.255.0 : allow
ALL: 10.80.37.171 : allow
sshd: 192.168.44.0/255.255.255.0 : allow
sshd: 192.168.45.0/255.255.255.0 : allow
sshd: 192.168.77.0/255.255.255.0 : allow
sshd: 10.0.0.0/255.255.0.0 : allow
sshd: PARANOID : allow
syslogd: 192.168.44.0/28 : allow
ALL: ALL: deny

Logging

syslogd(8)

Allow remote logging from specified devices. 

### rc.conf.local ###
# 192.168.44.1 is the DSL router configured for remote logging
syslogd_flags="-n -a 192.168.44.1:* -a 192.168.44.2:*"

### syslog.conf ###
#+192.168.44.1
*.*                     /var/log/dsl.log

#+192.168.44.2
*.*                     /var/log/wifi.log

sudo touch /var/log/{dsl,wifi}.log

Monitoring

Smart Monitoring 

$ sudo portinstall sysutils/smartmontools
$ sudo cp /usr/local/etc/smartd.conf.sample /usr/local/etc/smartd.conf
$ grep smartd /etc/rc.conf.local
smartd_enable=YES
$ sudo /usr/local/etc/rc.d/smartd start

[faith] ~> /usr/local/sbin/smartctl -a /dev/cd0
smartctl version 5.37 [i386-portbld-freebsd7.0] Copyright (C) 2002-6 Bruce Allen
Home page is http://smartmontools.sourceforge.net/

Smartctl: please specify device type with the -d option.

Use smartctl -h to get a usage summary

[faith] ~> /usr/local/sbin/smartctl -a /dev/ad0|head
smartctl version 5.37 [i386-portbld-freebsd7.0] Copyright (C) 2002-6 Bruce Allen
Home page is http://smartmontools.sourceforge.net/

=== START OF INFORMATION SECTION ===
Device Model:     ST960812A
Serial Number:    5PJ0VQWQ
Firmware Version: 3.05
User Capacity:    60,011,642,880 bytes
Device is:        Not in smartctl database [for details use: -P showall]
ATA Version is:   6
[faith] ~>

X Windows 

> sudo portinstall x11/xorg
> sudo portinstall x11-wm/enlightenment-devel
> sudo portinstall x11/gnome2-lite
> sudo portinstall x11/kde-lite
  • See the main page for more X Windows and related applications
Retrieved from "http://shankerbalan.net/wiki/FreeBSD_Afterinstall"
Personal tools